System and method for automatic data classification for use with data collection system and process control system

ABSTRACT

A method includes accessing, from a data store, at least one predefined data classification for asset data associated with multiple assets in an industrial process control system, wherein the at least one predefined data classification is associated with one or more first policies, wherein the data store stores a plurality of data classifications for asset data. The method also includes receiving user input of a customization to the at least one predefined data classification to generate at least one customized data classification associated with one or more second policies. The method further includes storing the at least one customized data classification in the data store. The method also includes collecting asset data from at least one of the multiple assets. The method further includes processing the collected asset data according to the one or more second policies associated with the at least one customized data classification.

TECHNICAL FIELD

This disclosure relates generally to industrial process control andautomation systems. More specifically, this disclosure relates to asystem and method for automatic data classification for use with a datacollection system and an industrial process control and automationsystem.

BACKGROUND

Large-scale systems, such as industrial process control and automationsystems, often include hundreds or thousands of system assets likecomputers, sensors, actuators, and controllers. In order to ensure thatsuch large systems are performing optimally, it is beneficial toregularly monitor the health and performance of system assets, such asby using a health and performance monitoring system. When installing anew monitoring system, several weeks of effort may be required to fullyconfigure the system for data collection. For example, such systems canrequire considerable time by site experts to identify the assets to bemonitored. In addition, when installing and collecting data fromon-premises systems (including OEM systems), existing solutions requirethe installer to explicitly specify the classification and provide othercontexts to the identified assets. This requires considerable humaneffort and often results in numerous data entry errors and added costs.

SUMMARY

This disclosure provides a system and method for automatic dataclassification for use with a data collection system and an industrialprocess control and automation system.

In a first embodiment, a method includes accessing, by at least oneprocessing device from a data store, at least one predefined dataclassification for asset data associated with multiple assets in anindustrial process control system, wherein the at least one predefineddata classification is associated with one or more first policies,wherein the data store stores a plurality of data classifications forasset data. The method also includes receiving, by the at least oneprocessing device, user input of a customization to the at least onepredefined data classification to generate at least one customized dataclassification associated with one or more second policies. The methodalso includes storing, by the at least one processing device, the atleast one customized data classification in the data store. The methodalso includes collecting, by the at least one processing device, assetdata from at least one of the multiple assets. The method also includesprocessing, by the at least one processing device, the collected assetdata according to the one or more second policies associated with the atleast one customized data classification.

In a second embodiment, an apparatus includes at least one processingdevice. The at least one processing device is configured to access, froma data store, at least one predefined data classification for asset dataassociated with multiple assets in an industrial process control system,wherein the at least one predefined data classification is associatedwith one or more first policies, wherein the data store stores aplurality of data classifications for asset data. The at least oneprocessing device is also configured to receive user input of acustomization to the at least one predefined data classification togenerate at least one customized data classification associated with oneor more second policies. The at least one processing device is alsoconfigured to store the at least one customized data classification inthe data store. The at least one processing device is also configured tocollect asset data from at least one of the multiple assets. The atleast one processing device is also configured to process the collectedasset data according to the one or more second policies associated withthe at least one customized data classification.

In a third embodiment, a non-transitory computer readable mediumcontains instructions that, when executed by at least one processingdevice, cause the at least one processing device to access, from a datastore, at least one predefined data classification for asset dataassociated with multiple assets in an industrial process control system,wherein the at least one predefined data classification is associatedwith one or more first policies, wherein the data store stores aplurality of data classifications for asset data; receive user input ofa customization to the at least one predefined data classification togenerate at least one customized data classification associated with oneor more second policies; store the at least one customized dataclassification in the data store; collect asset data from at least oneof the multiple assets; and process the collected asset data accordingto the one or more second policies associated with the at least onecustomized data classification.

Other technical features may be readily apparent to one skilled in theart from the following figures, descriptions, and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of this disclosure, reference is nowmade to the following description, taken in conjunction with theaccompanying drawings, in which:

FIG. 1 illustrates an example industrial process control and automationsystem according to this disclosure;

FIG. 2 illustrates an example framework for automatic configuration of adata collection system and schedule for control system monitoringaccording to this disclosure;

FIG. 3 illustrates an example method for classification of data typesfor use with a data collection system associated with control systemmonitoring, according to this disclosure; and

FIG. 4 illustrates an example device supporting classification of datatypes for use with a data collection system associated with controlsystem monitoring, according to this disclosure.

DETAILED DESCRIPTION

The figures discussed below and the various embodiments used to describethe principles of the present invention in this patent document are byway of illustration only and should not be construed in any way to limitthe scope of the invention. Those skilled in the art will understandthat the principles of the invention may be implemented in any type ofsuitably arranged device or system.

FIG. 1 illustrates an example industrial process control and automationsystem 100 according to this disclosure. As shown in FIG. 1, the system100 includes various components that facilitate production or processingof at least one product or other material. For instance, the system 100is used here to facilitate control over components in one or multipleplants 101 a-101 n. Each plant 101 a-101 n represents one or moreprocessing facilities (or one or more portions thereof), such as one ormore manufacturing facilities for producing at least one product orother material. In general, each plant 101 a-101 n may implement one ormore processes and can individually or collectively be referred to as aprocess system. A process system generally represents any system orportion thereof configured to process one or more products or othermaterials in some manner.

In FIG. 1, the system 100 is implemented using the Purdue model ofprocess control. In the Purdue model, “Level 0” may include one or moresensors 102 a and one or more actuators 102 b. The sensors 102 a andactuators 102 b represent components in a process system that mayperform any of a wide variety of functions. For example, the sensors 102a could measure a wide variety of characteristics in the process system,such as temperature, pressure, or flow rate. Also, the actuators 102 bcould alter a wide variety of characteristics in the process system. Thesensors 102 a and actuators 102 b could represent any other oradditional components in any suitable process system. Each of thesensors 102 a includes any suitable structure for measuring one or morecharacteristics in a process system. Each of the actuators 102 bincludes any suitable structure for operating on or affecting one ormore conditions in a process system.

At least one network 104 is coupled to the sensors 102 a and actuators102 b. The network 104 facilitates interaction with the sensors 102 aand actuators 102 b. For example, the network 104 could transportmeasurement data from the sensors 102 a and provide control signals tothe actuators 102 b. The network 104 could represent any suitablenetwork or combination of networks. As particular examples, the network104 could represent an Ethernet network, an electrical signal network(such as a HART or FOUNDATION FIELDBUS network), a pneumatic controlsignal network, or any other or additional type(s) of network(s).

In the Purdue model, “Level 1” may include one or more controllers 106,which are coupled to the network 104. Among other things, eachcontroller 106 may use the measurements from one or more sensors 102 ato control the operation of one or more actuators 102 b. For example, acontroller 106 could receive measurement data from one or more sensors102 a and use the measurement data to generate control signals for oneor more actuators 102 b. Multiple controllers 106 could also operate inredundant configurations, such as when one controller 106 operates as aprimary controller while another controller 106 operates as a backupcontroller (which synchronizes with the primary controller and can takeover for the primary controller in the event of a fault with the primarycontroller). Each controller 106 includes any suitable structure forinteracting with one or more sensors 102 a and controlling one or moreactuators 102 b. Each controller 106 could, for example, represent amultivariable controller, such as a Robust Multivariable PredictiveControl Technology (RMPCT) controller or other type of controllerimplementing model predictive control (MPC) or other advanced predictivecontrol (APC). As a particular example, each controller 106 couldrepresent a computing device running a real-time operating system.

Two networks 108 are coupled to the controllers 106. The networks 108facilitate interaction with the controllers 106, such as by transportingdata to and from the controllers 106. The networks 108 could representany suitable networks or combination of networks. As particularexamples, the networks 108 could represent a pair of Ethernet networksor a redundant pair of Ethernet networks, such as a FAULT TOLERANTETHERNET (FTE) network from HONEYWELL INTERNATIONAL INC.

At least one switch/firewall 110 couples the networks 108 to twonetworks 112. The switch/firewall 110 may transport traffic from onenetwork to another. The switch/firewall 110 may also block traffic onone network from reaching another network. The switch/firewall 110includes any suitable structure for providing communication betweennetworks, such as a HONEYWELL CONTROL FIREWALL (CF9) device. Thenetworks 112 could represent any suitable networks, such as a pair ofEthernet networks or an FTE network.

In the Purdue model, “Level 2” may include one or more machine-levelcontrollers 114 coupled to the networks 112. The machine-levelcontrollers 114 perform various functions to support the operation andcontrol of the controllers 106, sensors 102 a, and actuators 102 b,which could be associated with a particular piece of industrialequipment (such as a boiler or other machine). For example, themachine-level controllers 114 could log information collected orgenerated by the controllers 106, such as measurement data from thesensors 102 a or control signals for the actuators 102 b. Themachine-level controllers 114 could also execute applications thatcontrol the operation of the controllers 106, thereby controlling theoperation of the actuators 102 b. In addition, the machine-levelcontrollers 114 could provide secure access to the controllers 106. Eachof the machine-level controllers 114 includes any suitable structure forproviding access to, control of, or operations related to a machine orother individual piece of equipment. Each of the machine-levelcontrollers 114 could, for example, represent a server computing devicerunning a MICROSOFT WINDOWS operating system. Although not shown,different machine-level controllers 114 could be used to controldifferent pieces of equipment in a process system (where each piece ofequipment is associated with one or more controllers 106, sensors 102 a,and actuators 102 b).

One or more operator stations 116 are coupled to the networks 112. Theoperator stations 116 represent computing or communication devicesproviding user access to the machine-level controllers 114, which couldthen provide user access to the controllers 106 (and possibly thesensors 102 a and actuators 102 b). As particular examples, the operatorstations 116 could allow users to review the operational history of thesensors 102 a and actuators 102 b using information collected by thecontrollers 106 and/or the machine-level controllers 114. The operatorstations 116 could also allow the users to adjust the operation of thesensors 102 a, actuators 102 b, controllers 106, or machine-levelcontrollers 114. In addition, the operator stations 116 could receiveand display warnings, alerts, or other messages or displays generated bythe controllers 106 or the machine-level controllers 114. Each of theoperator stations 116 includes any suitable structure for supportinguser access and control of one or more components in the system 100.Each of the operator stations 116 could, for example, represent acomputing device running a MICROSOFT WINDOWS operating system.

At least one router/firewall 118 couples the networks 112 to twonetworks 120. The router/firewall 118 includes any suitable structurefor providing communication between networks, such as a secure router orcombination router/firewall. The networks 120 could represent anysuitable networks, such as a pair of Ethernet networks or an FTEnetwork.

In the Purdue model, “Level 3” may include one or more unit-levelcontrollers 122 coupled to the networks 120. Each unit-level controller122 is typically associated with a unit in a process system, whichrepresents a collection of different machines operating together toimplement at least part of a process. The unit-level controllers 122perform various functions to support the operation and control ofcomponents in the lower levels. For example, the unit-level controllers122 could log information collected or generated by the components inthe lower levels, execute applications that control the components inthe lower levels, and provide secure access to the components in thelower levels. Each of the unit-level controllers 122 includes anysuitable structure for providing access to, control of, or operationsrelated to one or more machines or other pieces of equipment in aprocess unit. Each of the unit-level controllers 122 could, for example,represent a server computing device running a MICROSOFT WINDOWSoperating system. Additionally or alternatively, each controller 122could represent a multivariable controller, such as a HONEYWELL C300controller. Although not shown, different unit-level controllers 122could be used to control different units in a process system (where eachunit is associated with one or more machine-level controllers 114,controllers 106, sensors 102 a, and actuators 102 b).

Access to the unit-level controllers 122 may be provided by one or moreoperator stations 124. Each of the operator stations 124 includes anysuitable structure for supporting user access and control of one or morecomponents in the system 100. Each of the operator stations 124 could,for example, represent a computing device running a MICROSOFT WINDOWSoperating system.

At least one router/firewall 126 couples the networks 120 to twonetworks 128. The router/firewall 126 includes any suitable structurefor providing communication between networks, such as a secure router orcombination router/firewall. The networks 128 could represent anysuitable networks, such as a pair of Ethernet networks or an FTEnetwork.

In the Purdue model, “Level 4” may include one or more plant-levelcontrollers 130 coupled to the networks 128. Each plant-level controller130 is typically associated with one of the plants 101 a-101 n, whichmay include one or more process units that implement the same, similar,or different processes. The plant-level controllers 130 perform variousfunctions to support the operation and control of components in thelower levels. As particular examples, the plant-level controller 130could execute one or more manufacturing execution system (MES)applications, scheduling applications, or other or additional plant orprocess control applications. Each of the plant-level controllers 130includes any suitable structure for providing access to, control of, oroperations related to one or more process units in a process plant. Eachof the plant-level controllers 130 could, for example, represent aserver computing device running a MICROSOFT WINDOWS operating system.

Access to the plant-level controllers 130 may be provided by one or moreoperator stations 132. Each of the operator stations 132 includes anysuitable structure for supporting user access and control of one or morecomponents in the system 100. Each of the operator stations 132 could,for example, represent a computing device running a MICROSOFT WINDOWSoperating system.

At least one router/firewall 134 couples the networks 128 to one or morenetworks 136. The router/firewall 134 includes any suitable structurefor providing communication between networks, such as a secure router orcombination router/firewall. The network 136 could represent anysuitable network, such as an enterprise-wide Ethernet or other networkor all or a portion of a larger network (such as the Internet).

In the Purdue model, “Level 5” may include one or more enterprise-levelcontrollers 138 coupled to the network 136. Each enterprise-levelcontroller 138 is typically able to perform planning operations formultiple plants 101 a-101 n and to control various aspects of the plants101 a-101 n. The enterprise-level controllers 138 can also performvarious functions to support the operation and control of components inthe plants 101 a-101 n. As particular examples, the enterprise-levelcontroller 138 could execute one or more order processing applications,enterprise resource planning (ERP) applications, advanced planning andscheduling (APS) applications, or any other or additional enterprisecontrol applications. Each of the enterprise-level controllers 138includes any suitable structure for providing access to, control of, oroperations related to the control of one or more plants. Each of theenterprise-level controllers 138 could, for example, represent a servercomputing device running a MICROSOFT WINDOWS operating system. In thisdocument, the term “enterprise” refers to an organization having one ormore plants or other processing facilities to be managed. Note that if asingle plant 101 a is to be managed, the functionality of theenterprise-level controller 138 could be incorporated into theplant-level controller 130.

Access to the enterprise-level controllers 138 may be provided by one ormore operator stations 140. Each of the operator stations 140 includesany suitable structure for supporting user access and control of one ormore components in the system 100. Each of the operator stations 140could, for example, represent a computing device running a MICROSOFTWINDOWS operating system.

Various levels of the Purdue model can include other components, such asone or more databases. The database(s) associated with each level couldstore any suitable information associated with that level or one or moreother levels of the system 100. For example, a historian 141 can becoupled to the network 136. The historian 141 could represent acomponent that stores various information about the system 100. Thehistorian 141 could, for instance, store information used duringproduction scheduling and optimization. The historian 141 represents anysuitable structure for storing and facilitating retrieval ofinformation. Although shown as a single centralized component coupled tothe network 136, the historian 141 could be located elsewhere in thesystem 100, or multiple historians could be distributed in differentlocations in the system 100.

In particular embodiments, the various controllers and operator stationsin FIG. 1 may represent computing devices. For example, each of thecontrollers and operator stations could include one or more processingdevices and one or more memories for storing instructions and data used,generated, or collected by the processing device(s). Each of thecontrollers and operator stations could also include at least onenetwork interface, such as one or more Ethernet interfaces or wirelesstransceivers.

As described in more detail below, various components in the system 100could be designed or modified to operate in conjunction with a datacollection system and schedule for monitoring of the system 100. Inaddition, one or more components of the system 100 could be configuredto perform automatic data classification for use with such a datacollection system. For example, one or more of the operator stations116, 124, 132, 140 or the historian 141 could be configured toautomatically classify asset related data (e.g., asset health orperformance information) that is then collected and processed by a datacollection system according to a collection schedule.

Although FIG. 1 illustrates one example of an industrial process controland automation system 100, various changes may be made to FIG. 1. Forexample, the system 100 could include any number of sensors, actuators,controllers, servers, operator stations, networks, and other components.Also, the makeup and arrangement of the system 100 in FIG. 1 is forillustration only. Components could be added, omitted, combined, orplaced in any other suitable configuration according to particularneeds. Further, particular functions have been described as beingperformed by particular components of the system 100. This is forillustration only. In general, control and automation systems are highlyconfigurable and can be configured in any suitable manner according toparticular needs. In addition, FIG. 1 illustrates one exampleoperational environment where data associated with a data collectionsystem can be automatically classified. This functionality can be usedin any other suitable system, and the system need not be related toindustrial process control and automation.

FIG. 2 illustrates an example framework 200 for automatic configurationof a data collection system and schedule for control system monitoringaccording to this disclosure. The framework 200 could, for example, beused for configuring a system that monitors components in the system 100of FIG. 1. However, the framework 200 could be used with any othersuitable system. In some embodiments, the framework 200 is similar to,or the same as, a framework described in the Applicant's co-pendingpatent application U.S. Ser. No. 15/436,130, the contents of which areincorporated herein by reference.

As shown in FIG. 2, the framework 200 includes a number of inputcomponents, including assets 205, a collection model 210, applications215, and policies 220. Using these components 205-220 as input sources,the framework 200 can be used to generate a schedule 225 for collectionof data for monitoring the assets of a control system. In someembodiments, a computing device 230, such as a server, can use theframework 200 to generate the schedule 225.

The assets 205 represent one or more assets for which health andperformance data can be collected. The assets 205 may be referred to asresiding in a “collection environment.” Typically, the assets 205 in thecollection environment correspond to various assets that make up all ora portion of a process control system or another type of system. Forexample, some or all of the assets 205 may represent, or be representedby, various components of the system 100 in FIG. 1, such as any of thesensors 102 a, actuators 102 b, controllers 106, 114, 122, 130, 138, oroperator stations 116, 124, 132, 140. In some cases, the assets 205correspond to assets that exist or are installed at one or more plantsites.

The collection model 210 represents a data model defining assetattributes that are known how to collect. These asset attributes can bereferred to as “collection parameters.” The collection parameters can bearranged and categorized according to asset type in the model 210. Forexample, if an asset 205 is a MICROSOFT WINDOWS-based computer, thereare hundreds of known performance indicators, such as central processingunit (CPU) utilization, memory utilization, and disk read time, that canbe read and hundreds of registry entries that can be accessed. Suchcollection parameters for the collection model 210 may be obtained fromasset specifications such as WINDOWS MANAGEMENT INSTRUMENTATION (WMI)for MICROSOFT WINDOWS. As another example, if an asset 205 is anEXPERION server by HONEYWELL INTERNATIONAL INC., there are various knowntypes of collection parameters that can be determined. Together, thecollection parameters for each type of asset 205 make up the collectionmodel 210.

The applications 215 represent one or more executable software orfirmware applications that use health or performance data “streamed”(transmitted or otherwise sent) to the applications 215 on a regular orother basis. In many cases, the applications 215 are utilityapplications associated with a monitoring and reporting system or assethealth in order to ensure optimal performance of a system. As aparticular example, one application 215 can be the WINDOWS PERFORMANCEMONITOR by MICROSOFT. Other applications 215 may include customizedapplications specifically developed for a particular company,enterprise, customer, plant, control system, asset, or asset group. Insome cases, an application 215 can include a financial component thatmeasures financial impacts based on performance and health of company orsystem assets. In general, the applications 215 can include any suitableapplication that uses health or performance data of assets duringoperation.

The policies 220 represent one or more policies or rules that govern,drive, or restrict the collection, distribution, and usage of data. Forexample, some applications 215 may execute on a cloud-based computer orserver. For security reasons, there can be a policy 220 that certaintypes of performance or health information and data will not be sent toan application 215 that operates in a cloud environment. The policies220 can be predefined, customized, or developed from scratch on-site.That is, depending on system requirements, an enterprise or plant canuse one or more predefined policies 220 without modification, customizeone or more predefined policies 220 for particular systemrequirement(s), develop one or more policies 220 from scratch, or anycombination of these. The policies 220 are optional, meaning someenterprises may have no policies 220 that affect the generation of theschedule 225. Further details regarding use of policies 220 aredescribed with respect to FIG. 3 discussed below.

The schedule 225 represents a collection schedule indicating the healthor performance data that is collected from various assets 205, when andhow often the data is collected, and to which applications 215 thehealth or performance data is provided. The schedule 225 is generatedaccording to the framework 200 by cross-referencing the information ofthe assets 205 and the collection model 210 with the applications 215and, optionally, the policies 220.

In some embodiments, the framework 200 generally operates in two stageswithin a target control system, such as the system 100. The first stageincludes initial installation and periodically following of any changesin the assets (such as a plant equipment change). During the firststage, an asset discovery operation is performed to discover the assets205. This may include execution of an asset discovery utility on thecomputing device 230 or other computing device(s) connected to anetwork. The asset discovery utility searches out computers,controllers, network switches, and any other assets 205, determines thefunctionality of each asset 205, and records the assets 205 in adatabase 235 or other data store.

During the second stage, the collection model 210 is cross-referencedwith each asset 205 based on the functions discovered for that asset205. This identifies what data or information could be collected fromthe assets 205. That is, using the information about the assets 205 andthe collection model 210, the framework 200 can identify the data pointsthat could be collected from the assets 205. The information that couldbe collected is then cross-referenced with the requirements of theapplications 215 that use such data or information and, optionally, thepolicies 220 that govern data usage to identify what data or informationshould actually be collected.

In particular embodiments, a process for using the framework 200 is asfollows. First, the computing device 230 is installed at a site that isaccessible to a plant operator. The computing device 230 represents anysuitable computing device capable of processing data and communicatingwith other computing devices over one or more networks. The computingdevice 230 can represent, or be represented by, one or more of theoperator stations 116, 124, 132, 140 or the historian 141 of FIG. 1. Insome cases, the computing device 230 may be installed in a cloudenvironment and may be accessed by the plant operator over a local areanetwork (LAN), wide area network (WAN), virtual private network (VPN),or other network connection. The collection model 210 can then beinstalled for use by the computing device 230. This can include storingthe collection model in the database 235. In some embodiments, thedatabase 235 may represent a relational database or other data storagespace disposed in a memory of the computing device 230 or in anotherdevice communicatively coupled to the computing device 230, such as viaa bus or a network connection.

Later, assets 205 may be discovered and entered into the database 235via one or more asset discovery processes. This may include using ACTIVEDIRECTORY for MICROSOFT WINDOWS or querying an EXPERION server todetermine what controllers are connected to the EXPERION server.Together, the assets 205 and the collection model 210 providecollectable information of the plant or system. At some point, one ormore applications 215 are installed to be in communication with theplant or system. Each application 215 may require or use informationfrom one or more assets 205. Information from each application 215 mayalso be stored in the database 235.

If an asset 205 is indicated as an asset from which information may beneeded, a data collection application 240 (also referred to as an “app”)can be installed on the asset 205 to manage the collection of data fromthat asset. The app 240 communicates with the computing device 230 inorder to determine (i) what information from the asset 205 should becollected by the app 240 and sent to the computing device 230 and (ii)when and how often the information is required or requested. Thiscommunication can occur in any suitable manner, such as through a webapplication programming interface (API) or other suitable communicationprotocol. The computing device 230 can respond to the app 240 with allor portions of the collection schedule 225 for collecting particularinformation at particular times. This can be done automatically. In someembodiments, while the computing device 230 determines the schedule 225,the schedule 225 may not be stored at the computing device 230. Instead,the schedule 225 can be stored at the assets 205. In other embodiments,the schedule 225 could be maintained at the computing device 230.

Although FIG. 2 illustrates one example of a framework 200 for automaticconfiguration of a data collection system and schedule for controlsystem monitoring, various changes may be made to FIG. 2. For example,components could be added, omitted, combined, further subdivided, orplaced in any other suitable configuration according to particularneeds. Also, system frameworks can come in a variety of configurations,and FIG. 2 does not limit this disclosure to any particularconfiguration of framework.

The framework 200 provides a generalized framework that facilitatescollection of asset data from many different sources. Because theframework 200 is generalized and flexible, it can be necessary tocustomize the framework 200 to adhere to specific policies or rules(such as the policies 220) that address the collection, storage, and useof disparate types of asset data. The policies are typically based onthe type or “classification” of the data in question.

“Classification” of data addresses what the data is related to. Examplesof different classifications of data can include financial data,personal data, process system and operational data (e.g., tank level,temperature, production outputs, etc.), inventory data, and the like.Some data can have multiple classifications. For example, productionoutput of an industrial process control system could be operational dataas a measure of the production system's performance, but also financialdata in that the output can represent an asset with an economic value.Each of the different classifications of data can trigger differentpolicies or rules in how the data is collected, stored, presented, andprocessed. Such policies can be company-specific, industry-specific,geography-specific, or the like. Some policies can address security orlegal considerations, such as who can see the data, whether or not thedata can be transmitted to certain geographical or functional locations,and the like.

For example, some companies or corporate entities may have one or moreinformation security policies that govern which employees have access tocertain types of data. As another example, some geographical orpolitical jurisdictions have one or more policies that affect collectionand storage of data. As a specific example, “personal data” is definedin many legal jurisdictions with respect to certain types of datauniquely associated with an individual person. In Europe, there arelegal restrictions as to what a company can do with “personal data,”such as where the personal data can be stored. For example, if a companywith European operations stores personal data in a database serverlocated in Europe and wants to geo-replicate the data in a NorthAmerican server, the company may be in violation of certain Europeanlaws governing the storage of personal data.

While it would be possible to classify data as it is collected using theframework 200, or even after the data is collected and stored, it isadvantageous to have a predefined classification for different types ofdata before the collection process occurs. This ensures that the datacollection process performed by the framework 200 is performed withimproved accuracy and speed. For example, if certain types of data arepre-classified, then the framework 200 will know how to collect andstore the data (or even know to not collect or store the data) accordingto one or more of the policies 220 when data of this type isencountered. This can ensure, for example, that the framework 200 doesnot transmit sensitive data to the wrong place.

As a particular example, based on data classification and a policy 220for that classification, security for certain classifications of datacan be segmented, e.g., who has access to what types or classes of data.As another particular example, if the classification is “desktopcomputer,” various policies can be defined for collection of CPUutilization, used and available storage, etc. In addition to datacollection and storage, the predefined classifications can also guideother data analytics and operations that may be performed, such assorting, filtering, limit checking, and alarm generation.

In some embodiments, the classification is a metadata tag that can beattached to and stored with the data so that the data can be readilyprocessed according to some policy. When data belongs to more than oneclassification, then multiple tags can be attached to the data.

FIG. 3 illustrates an example method 300 for classification of datatypes for use with a data collection system associated with controlsystem monitoring, according to this disclosure. For ease ofexplanation, the method 300 is described as being performed using one ofthe operator stations 116, 124, 132, 140 of FIG. 1 or the computingdevice 230 of FIG. 2. However, the method 300 could be used with anysuitable device or system.

At step 301, a computing device receives user input of dataclassification information associated with multiple assets in accordancewith one or more policies. This may include, for example, a user (e.g.,a data administrator, engineer, or management personnel) entering,updating, or maintaining data classifications for asset data andassociating the data classifications with one or more policies 220 thathave rules, restrictions, etc., related to the data classifications. Theinformation is stored in a data storage, such as the database 235. (Asused herein, the term “database” can include data stores other than arelational database. For example, a database can include one or moreflat files.) As a particular example, the user may determine that“boiler temperature” should have an “operational data” classificationthat is subject to a particular data retention policy, due to regulatoryrequirements. The user can use a graphical user interface to generate adatabase record that links the asset data “boiler temperature” and itsclassification “operational data.” The user can also define and maintainone or more data retention policies associated with the classification“operational data.”

Later, the user can enter, update, or maintain data classifications forother types of asset data. As discussed above, the asset data can beassociated with many types of assets (e.g., the assets 205), and theclassifications can include multiple classifications, includingfinancial data, operational data, personal data, and the like. The usercan set or associate various policies 220 with each classification; suchpolicies 220 can include predefined actions or limits based on thisclassification (e.g., What data is collected? Where can the collecteddata be stored? Who can view or edit the collected data? Should thecollected data be encrypted? How long will the data be kept? Should thedata be sent to a cloud network? Can the data be visible to first-levelemployees?). The policies 220 could include various types of policies,including corporate policies, legal policies, regulatory policies,industry standards, regional or geographical customs, and the like.Ultimately, a “policy environment” database 302 is created that definesthe policies and rules for different classifications of asset data.

At step 303, a computing device sends the prepopulated policyenvironment database 302 to a different location for use by anothergroup. For example, in some embodiments, a vendor prepopulates thepolicy environment database 302 and shares the database 302 with one ormore customers. The policy environment database 302 could be included aspart of a data collection solution (e.g., the framework 200) provided bythe vendor to a customer. (As used herein, a vendor can refer to anentity that provides hardware, software, consulting, and/or informationservices to another entity. In some embodiments, a vendor can include anOEM, a third-party partner, and the like. For example, HONEYWELLINTERNATIONAL INC. or one its divisions could be considered a vendor toits customers. As another example, third-party services groups thatpartner with HONEYWELL INTERNATIONAL INC. could be considered a vendorto HONEYWELL's customers.) The policy environment database 302 allowsthe customers to take advantage of the predefined data classificationsand policies as the customer sets up the customer's data collectionsolution. In other embodiments, the policy environment database 302 maybe prepopulated by a central business group of a large organization andthen distributed to different divisions within the organization.

At step 305, a computing device queries the policy environment database302 to access at least one predefined data classification for asset dataassociated with multiple assets. The predefined data classification(s)are associated with one or more policies 220. In some embodiments, theassets may be assets in an industrial process control system. In thisstep, the computing device may be a computing device of an end user,such as a customer's computing device or a computing device in adivision of an organization. The policy environment database 302 isqueried in preparation for customizations to classifications stored inthe database 302.

At step 307, a computing device receives user input of a customizationto predefined data classification(s) to generate at least one customizeddata classification associated with one or more policies 220. This mayinclude a user (e.g., a customer, data administrator, engineer, ormanagement personnel) updating or maintaining existing dataclassifications in the database 302, adding new classifications to thedatabase 302, or deleting existing data classifications in the database302. In particular, the user can review the predefined classificationsand policies in the database 302 and can then implement them as theyexist or make changes or customizations as needed.

At step 309, a computing device stores the customizations to theclassification data from step 307 in the database 302.

At step 311, a computing device (e.g., a computing device executing thedata collection app 240) uses the classification information in thedatabase 302 while performing a data collection process. Theclassification information can impact the data collection process in avariety of ways. For example, in some cases, the classification ofcertain data (e.g., secured or confidential data) may include a policythat the data should not be collected at all. In such a case, when thecomputing device encounters data with this classification, the computingdevice knows to avoid the data and not collect it.

At step 313, after data is collected using the collection process instep 311, one or more applications that make use of the collected datacould also use the classification information in the policy environmentdatabase 302 in order to correctly process, organize, or classify thedata.

Although FIG. 3 illustrates one example of a method 300 forclassification of data types for use with a data collection systemassociated with control system monitoring, various changes may be madeto FIG. 3. For example, while shown as a series of steps, various stepsshown in FIG. 3 could overlap, occur in parallel, occur in a differentorder, or occur multiple times. Moreover, some steps could be combinedor removed and additional steps could be added according to particularneeds.

FIG. 4 illustrates an example device 400 supporting classification ofdata types for use with a data collection system associated with controlsystem monitoring, according to this disclosure. The device 400 could,for example, represent the computing device 230 of FIG. 2 or one of theoperator stations 116, 124, 132, 140 of FIG. 1. However, the computingdevice 230 and the operator stations 116, 124, 132, 140 could beimplemented using any other suitable device or system, and the device400 could be used in any other suitable system.

As shown in FIG. 4, the device 400 includes at least one processor 402,at least one storage device 404, at least one communications unit 406,and at least one input/output (I/O) unit 408. Each processor 402 canexecute instructions, such as those that may be loaded into a memory412. Each processor 402 denotes any suitable processing device, such asone or more microprocessors, microcontrollers, digital signalprocessors, application specific integrated circuits (ASICs), fieldprogrammable gate arrays (FPGAs), or discrete circuitry.

The memory 412 and a persistent storage 414 are examples of storagedevices 404, which represent any structure(s) capable of storing andfacilitating retrieval of information (such as data, program code,and/or other suitable information on a temporary or permanent basis).The memory 412 may represent a random access memory or any othersuitable volatile or non-volatile storage device(s). The persistentstorage 414 may contain one or more components or devices supportinglonger-term storage of data, such as a read only memory, hard drive,Flash memory, or optical disc. In accordance with this disclosure, thememory 412 and persistent storage 414 may be configured to storeinformation and data associated with classification of data types foruse with a data collection system, such as the framework 200 of FIG. 2.

The communications unit 406 supports communications with other systemsor devices. For example, the communications unit 406 could include anetwork interface card or a wireless transceiver facilitatingcommunications over a wired or wireless network (such as any of thenetworks 104, 108, 112, 120, 128, 136). The communications unit 406 maysupport communications through any suitable physical or wirelesscommunication link(s).

The I/O unit 408 allows for input and output of data. For example, theI/O unit 408 may provide a connection for user input through a keyboard,mouse, keypad, touchscreen, or other suitable input device. The I/O unit408 may also send output to a display, printer, or other suitable outputdevice.

Although FIG. 4 illustrates one example of a device 400 supportingclassification of data types for use with a data collection systemassociated with control system monitoring, various changes may be madeto FIG. 4. For example, various components in FIG. 4 could be combined,further subdivided, or omitted and additional components could be addedaccording to particular needs. Also, computing devices can come in awide variety of configurations, and FIG. 4 does not limit thisdisclosure to any particular configuration of computing device.

As discussed herein, the disclosed embodiments provide a number ofadvantages over conventional systems that do not support automatic dataclassification. For example, the disclosed embodiments increase theaccuracy and decrease the resources required for configuration of assetmetadata that must be entered. This also helps to reduce costs incurredduring configuration period, and makes the configured system availablemore quickly after configuration.

In some embodiments, various functions described in this patent documentare implemented or supported by a computer program that is formed fromcomputer readable program code and that is embodied in a computerreadable medium. The phrase “computer readable program code” includesany type of computer code, including source code, object code, andexecutable code. The phrase “computer readable medium” includes any typeof medium capable of being accessed by a computer, such as read onlymemory (ROM), random access memory (RAM), a hard disk drive, a compactdisc (CD), a digital video disc (DVD), or any other type of memory. A“non-transitory” computer readable medium excludes wired, wireless,optical, or other communication links that transport transitoryelectrical or other signals. A non-transitory computer readable mediumincludes media where data can be permanently stored and media where datacan be stored and later overwritten, such as a rewritable optical discor an erasable memory device.

It may be advantageous to set forth definitions of certain words andphrases used throughout this patent document. The terms “application”and “program” refer to one or more computer programs, softwarecomponents, sets of instructions, procedures, functions, objects,classes, instances, related data, or a portion thereof adapted forimplementation in a suitable computer code (including source code,object code, or executable code). The term “communicate,” as well asderivatives thereof, encompasses both direct and indirect communication.The terms “include” and “comprise,” as well as derivatives thereof, meaninclusion without limitation. The term “or” is inclusive, meaningand/or. The phrase “associated with,” as well as derivatives thereof,may mean to include, be included within, interconnect with, contain, becontained within, connect to or with, couple to or with, be communicablewith, cooperate with, interleave, juxtapose, be proximate to, be boundto or with, have, have a property of, have a relationship to or with, orthe like. The phrase “at least one of,” when used with a list of items,means that different combinations of one or more of the listed items maybe used, and only one item in the list may be needed. For example, “atleast one of: A, B, and C” includes any of the following combinations:A, B, C, A and B, A and C, B and C, and A and B and C.

The description in the present application should not be read asimplying that any particular element, step, or function is an essentialor critical element that must be included in the claim scope. The scopeof patented subject matter is defined only by the allowed claims.Moreover, none of the claims is intended to invoke 35 U.S.C. § 112(f)with respect to any of the appended claims or claim elements unless theexact words “means for” or “step for” are explicitly used in theparticular claim, followed by a participle phrase identifying afunction. Use of terms such as (but not limited to) “mechanism,”“module,” “device,” “unit,” “component,” “element,” “member,”“apparatus,” “machine,” “system,” “processor,” or “controller” within aclaim is understood and intended to refer to structures known to thoseskilled in the relevant art, as further modified or enhanced by thefeatures of the claims themselves, and is not intended to invoke 35U.S.C. § 112(f).

While this disclosure has described certain embodiments and generallyassociated methods, alterations and permutations of these embodimentsand methods will be apparent to those skilled in the art. Accordingly,the above description of example embodiments does not define orconstrain this disclosure. Other changes, substitutions, and alterationsare also possible without departing from the spirit and scope of thisdisclosure, as defined by the following claims.

What is claimed is:
 1. A method comprising: accessing, by at least oneprocessing device from a data store, at least one predefined dataclassification for asset data associated with multiple assets in anindustrial process control system, wherein the at least one predefineddata classification is associated with one or more first policies,wherein the data store stores a plurality of data classifications forasset data; receiving, by the at least one processing device, user inputof a customization to the at least one predefined data classification togenerate at least one customized data classification associated with oneor more second policies; storing, by the at least one processing device,the at least one customized data classification in the data store;collecting, by the at least one processing device, asset data from atleast one of the multiple assets; and processing, by the at least oneprocessing device, the collected asset data according to the one or moresecond policies associated with the at least one customized dataclassification.
 2. The method of claim 1, wherein the data store isreceived from a vendor before the at least one predefined dataclassification is accessed from the data store.
 3. The method of claim2, wherein the data store is prepopulated by the vendor before the datastore is received from the vendor.
 4. The method of claim 1, whereincollecting the asset data from at least one of the multiple assetscomprises collecting the asset data in accordance with at least one ofthe data classifications stored in the data store.
 5. The method ofclaim 1, wherein the predefined and customized data classificationscomprise at least one of financial data, personal data, operationaldata, and inventory data.
 6. The method of claim 1, wherein the firstand second policies comprise at least one of a corporate policy, a legalpolicy, a regulatory policy, an industry standard, and a regional orgeographical custom.
 7. The method of claim 1, wherein the user input ofthe customization to the at least one predefined data classification isreceived at a graphical user interface controlled by the at least oneprocessing device.
 8. An apparatus comprising: at least one processingdevice configured to: access, from a data store, at least one predefineddata classification for asset data associated with multiple assets in anindustrial process control system, wherein the at least one predefineddata classification is associated with one or more first policies,wherein the data store stores a plurality of data classifications forasset data; receive user input of a customization to the at least onepredefined data classification to generate at least one customized dataclassification associated with one or more second policies; store the atleast one customized data classification in the data store; collectasset data from at least one of the multiple assets; and process thecollected asset data according to the one or more second policiesassociated with the at least one customized data classification.
 9. Theapparatus of claim 8, wherein the data store is received from a vendorbefore the at least one predefined data classification is accessed fromthe data store.
 10. The apparatus of claim 9, wherein the data store isprepopulated by the vendor before the data store is received from thevendor.
 11. The apparatus of claim 8, wherein to collect the asset datafrom the at least one asset, the at least one processing device isconfigured to collect the asset data in accordance with at least one ofthe data classifications stored in the data store.
 12. The apparatus ofclaim 8, wherein the predefined and customized data classificationscomprise at least one of financial data, personal data, operationaldata, and inventory data.
 13. The apparatus of claim 8, wherein thefirst and second policies comprise at least one of a corporate policy, alegal policy, a regulatory policy, an industry standard, and a regionalor geographical custom.
 14. The apparatus of claim 8, wherein the userinput of the customization to to the at least one predefined dataclassification is received at a graphical user interface controlled bythe at least one processing device.
 15. A non-transitory computerreadable medium containing instructions that, when executed by at leastone processing device, cause the at least one processing device to:access, from a data store, at least one predefined data classificationfor asset data associated with multiple assets in an industrial processcontrol system, wherein the at least one predefined data classificationis associated with one or more first policies, wherein the data storestores a plurality of data classifications for asset data; receive userinput of a customization to the at least one predefined dataclassification to generate at least one customized data classificationassociated with one or more second policies; store the at least onecustomized data classification in the data store; collect asset datafrom at least one of the multiple assets; and process the collectedasset data according to the one or more second policies associated withthe at least one customized data classification.
 16. The non-transitorycomputer readable medium of claim 15, wherein the data store is receivedfrom a vendor before the at least one predefined data classification isaccessed from the data store.
 17. The non-transitory computer readablemedium of claim 16, wherein the data store is prepopulated by the vendorbefore the data store is received from the vendor.
 18. Thenon-transitory computer readable medium of claim 15, wherein theinstructions to collect the asset data from at least one of the multipleassets comprise instructions to collect the asset data in accordancewith at least one of the data classifications stored in the data store.19. The non-transitory computer readable medium of claim 15, wherein thepredefined and customized data classifications comprise at least one offinancial data, personal data, operational data, and inventory data. 20.The non-transitory computer readable medium of claim 15, wherein thefirst and second policies comprise at least one of a corporate policy, alegal policy, a regulatory policy, an industry standard, and a regionalor geographical custom.